cobaltstrike | 24f418bf69d16e85e94110b086abbbac86fcddf0659c89b6cc640f9fa655778e

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

1d3dedb8b528883e64177d5e9ef0bc60
SHA1

9745c572859a598535e26e26e10c0596580d19f7
SHA256

24f418bf69d16e85e94110b086abbbac86fcddf0659c89b6cc640f9fa655778e
SHA512

3ed7b78d81b6d6c310b7c9be365b92105b29e560c82d820dc53bb73b3f4dd924a78aa64de612a1e9ae10159f9e3576f58022e7aface95f9f5bd469f5f3c76fb6
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lN:RWWBibd56utgpPFotBER/mQ32lUh

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023455-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-21.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-96.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-110.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023456-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-67.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-55.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-44.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-34.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-22.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-126.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4576-91-0x00007FF704970000-0x00007FF704CC1000-memory.dmp	xmrig
behavioral2/memory/4712-107-0x00007FF6CEED0000-0x00007FF6CF221000-memory.dmp	xmrig
behavioral2/memory/3000-113-0x00007FF71A900000-0x00007FF71AC51000-memory.dmp	xmrig
behavioral2/memory/3860-116-0x00007FF623EB0000-0x00007FF624201000-memory.dmp	xmrig
behavioral2/memory/2172-115-0x00007FF721C20000-0x00007FF721F71000-memory.dmp	xmrig
behavioral2/memory/4516-114-0x00007FF680130000-0x00007FF680481000-memory.dmp	xmrig
behavioral2/memory/2284-108-0x00007FF6D5130000-0x00007FF6D5481000-memory.dmp	xmrig
behavioral2/memory/2340-66-0x00007FF7F7610000-0x00007FF7F7961000-memory.dmp	xmrig
behavioral2/memory/3524-65-0x00007FF655680000-0x00007FF6559D1000-memory.dmp	xmrig
behavioral2/memory/3536-11-0x00007FF66BF90000-0x00007FF66C2E1000-memory.dmp	xmrig
behavioral2/memory/4816-125-0x00007FF624880000-0x00007FF624BD1000-memory.dmp	xmrig
behavioral2/memory/3764-132-0x00007FF61C570000-0x00007FF61C8C1000-memory.dmp	xmrig
behavioral2/memory/1796-143-0x00007FF6C3F70000-0x00007FF6C42C1000-memory.dmp	xmrig
behavioral2/memory/464-144-0x00007FF7DB0E0000-0x00007FF7DB431000-memory.dmp	xmrig
behavioral2/memory/2648-140-0x00007FF787BD0000-0x00007FF787F21000-memory.dmp	xmrig
behavioral2/memory/60-137-0x00007FF6A0A50000-0x00007FF6A0DA1000-memory.dmp	xmrig
behavioral2/memory/2352-135-0x00007FF62D050000-0x00007FF62D3A1000-memory.dmp	xmrig
behavioral2/memory/2788-131-0x00007FF630830000-0x00007FF630B81000-memory.dmp	xmrig
behavioral2/memory/2012-130-0x00007FF614330000-0x00007FF614681000-memory.dmp	xmrig
behavioral2/memory/3536-129-0x00007FF66BF90000-0x00007FF66C2E1000-memory.dmp	xmrig
behavioral2/memory/4648-147-0x00007FF6B65D0000-0x00007FF6B6921000-memory.dmp	xmrig
behavioral2/memory/2644-148-0x00007FF7E4DF0000-0x00007FF7E5141000-memory.dmp	xmrig
behavioral2/memory/4816-149-0x00007FF624880000-0x00007FF624BD1000-memory.dmp	xmrig
behavioral2/memory/4816-150-0x00007FF624880000-0x00007FF624BD1000-memory.dmp	xmrig
behavioral2/memory/2064-155-0x00007FF67AA70000-0x00007FF67ADC1000-memory.dmp	xmrig
behavioral2/memory/3536-206-0x00007FF66BF90000-0x00007FF66C2E1000-memory.dmp	xmrig
behavioral2/memory/2012-220-0x00007FF614330000-0x00007FF614681000-memory.dmp	xmrig
behavioral2/memory/2788-224-0x00007FF630830000-0x00007FF630B81000-memory.dmp	xmrig
behavioral2/memory/3764-223-0x00007FF61C570000-0x00007FF61C8C1000-memory.dmp	xmrig
behavioral2/memory/2284-235-0x00007FF6D5130000-0x00007FF6D5481000-memory.dmp	xmrig
behavioral2/memory/2340-232-0x00007FF7F7610000-0x00007FF7F7961000-memory.dmp	xmrig
behavioral2/memory/3000-236-0x00007FF71A900000-0x00007FF71AC51000-memory.dmp	xmrig
behavioral2/memory/2352-229-0x00007FF62D050000-0x00007FF62D3A1000-memory.dmp	xmrig
behavioral2/memory/3524-227-0x00007FF655680000-0x00007FF6559D1000-memory.dmp	xmrig
behavioral2/memory/4712-231-0x00007FF6CEED0000-0x00007FF6CF221000-memory.dmp	xmrig
behavioral2/memory/4576-244-0x00007FF704970000-0x00007FF704CC1000-memory.dmp	xmrig
behavioral2/memory/4516-243-0x00007FF680130000-0x00007FF680481000-memory.dmp	xmrig
behavioral2/memory/3860-252-0x00007FF623EB0000-0x00007FF624201000-memory.dmp	xmrig
behavioral2/memory/2644-256-0x00007FF7E4DF0000-0x00007FF7E5141000-memory.dmp	xmrig
behavioral2/memory/4648-254-0x00007FF6B65D0000-0x00007FF6B6921000-memory.dmp	xmrig
behavioral2/memory/2648-250-0x00007FF787BD0000-0x00007FF787F21000-memory.dmp	xmrig
behavioral2/memory/60-249-0x00007FF6A0A50000-0x00007FF6A0DA1000-memory.dmp	xmrig
behavioral2/memory/1796-246-0x00007FF6C3F70000-0x00007FF6C42C1000-memory.dmp	xmrig
behavioral2/memory/2172-240-0x00007FF721C20000-0x00007FF721F71000-memory.dmp	xmrig
behavioral2/memory/464-239-0x00007FF7DB0E0000-0x00007FF7DB431000-memory.dmp	xmrig
behavioral2/memory/2064-260-0x00007FF67AA70000-0x00007FF67ADC1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3536	joRvhJV.exe
2012	UeNxRhq.exe
2788	SNlfEGR.exe
3764	sjIgAyG.exe
4712	moUvThO.exe
2352	vFaBcuC.exe
3524	uWOVjQi.exe
2340	RjnbSeK.exe
2284	TRZmZHx.exe
60	Kpwlsgs.exe
3000	DikWZTX.exe
2648	dyAfpNe.exe
4576	HNkDXbe.exe
4516	omkumlQ.exe
1796	boXpjRN.exe
464	qDTNTLL.exe
2172	RsgpZfo.exe
3860	UEypJbN.exe
4648	pwzqfDe.exe
2644	ACVBbxp.exe
2064	xwNEqOv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4816-0-0x00007FF624880000-0x00007FF624BD1000-memory.dmp	upx
behavioral2/files/0x0008000000023455-5.dat	upx
behavioral2/files/0x000700000002345b-21.dat	upx
behavioral2/files/0x000700000002345e-31.dat	upx
behavioral2/files/0x0007000000023461-50.dat	upx
behavioral2/files/0x0007000000023464-64.dat	upx
behavioral2/files/0x0007000000023463-80.dat	upx
behavioral2/memory/4576-91-0x00007FF704970000-0x00007FF704CC1000-memory.dmp	upx
behavioral2/files/0x0007000000023467-96.dat	upx
behavioral2/memory/4712-107-0x00007FF6CEED0000-0x00007FF6CF221000-memory.dmp	upx
behavioral2/memory/3000-113-0x00007FF71A900000-0x00007FF71AC51000-memory.dmp	upx
behavioral2/memory/2644-119-0x00007FF7E4DF0000-0x00007FF7E5141000-memory.dmp	upx
behavioral2/memory/4648-120-0x00007FF6B65D0000-0x00007FF6B6921000-memory.dmp	upx
behavioral2/files/0x000700000002346a-118.dat	upx
behavioral2/files/0x0007000000023469-117.dat	upx
behavioral2/memory/3860-116-0x00007FF623EB0000-0x00007FF624201000-memory.dmp	upx
behavioral2/memory/2172-115-0x00007FF721C20000-0x00007FF721F71000-memory.dmp	upx
behavioral2/memory/4516-114-0x00007FF680130000-0x00007FF680481000-memory.dmp	upx
behavioral2/files/0x0007000000023468-110.dat	upx
behavioral2/memory/2284-108-0x00007FF6D5130000-0x00007FF6D5481000-memory.dmp	upx
behavioral2/files/0x0008000000023456-102.dat	upx
behavioral2/files/0x0007000000023466-98.dat	upx
behavioral2/memory/464-97-0x00007FF7DB0E0000-0x00007FF7DB431000-memory.dmp	upx
behavioral2/files/0x0007000000023465-94.dat	upx
behavioral2/memory/1796-92-0x00007FF6C3F70000-0x00007FF6C42C1000-memory.dmp	upx
behavioral2/memory/2648-87-0x00007FF787BD0000-0x00007FF787F21000-memory.dmp	upx
behavioral2/files/0x0007000000023460-82.dat	upx
behavioral2/memory/60-75-0x00007FF6A0A50000-0x00007FF6A0DA1000-memory.dmp	upx
behavioral2/files/0x0007000000023462-67.dat	upx
behavioral2/memory/2340-66-0x00007FF7F7610000-0x00007FF7F7961000-memory.dmp	upx
behavioral2/memory/3524-65-0x00007FF655680000-0x00007FF6559D1000-memory.dmp	upx
behavioral2/memory/2352-58-0x00007FF62D050000-0x00007FF62D3A1000-memory.dmp	upx
behavioral2/files/0x000700000002345f-55.dat	upx
behavioral2/memory/2788-43-0x00007FF630830000-0x00007FF630B81000-memory.dmp	upx
behavioral2/files/0x000700000002345c-44.dat	upx
behavioral2/files/0x000700000002345a-34.dat	upx
behavioral2/files/0x000700000002345d-33.dat	upx
behavioral2/memory/3764-25-0x00007FF61C570000-0x00007FF61C8C1000-memory.dmp	upx
behavioral2/memory/2012-23-0x00007FF614330000-0x00007FF614681000-memory.dmp	upx
behavioral2/files/0x0007000000023459-22.dat	upx
behavioral2/memory/3536-11-0x00007FF66BF90000-0x00007FF66C2E1000-memory.dmp	upx
behavioral2/memory/4816-125-0x00007FF624880000-0x00007FF624BD1000-memory.dmp	upx
behavioral2/memory/2064-127-0x00007FF67AA70000-0x00007FF67ADC1000-memory.dmp	upx
behavioral2/files/0x000700000002346b-126.dat	upx
behavioral2/memory/3764-132-0x00007FF61C570000-0x00007FF61C8C1000-memory.dmp	upx
behavioral2/memory/1796-143-0x00007FF6C3F70000-0x00007FF6C42C1000-memory.dmp	upx
behavioral2/memory/464-144-0x00007FF7DB0E0000-0x00007FF7DB431000-memory.dmp	upx
behavioral2/memory/2648-140-0x00007FF787BD0000-0x00007FF787F21000-memory.dmp	upx
behavioral2/memory/60-137-0x00007FF6A0A50000-0x00007FF6A0DA1000-memory.dmp	upx
behavioral2/memory/2352-135-0x00007FF62D050000-0x00007FF62D3A1000-memory.dmp	upx
behavioral2/memory/2788-131-0x00007FF630830000-0x00007FF630B81000-memory.dmp	upx
behavioral2/memory/2012-130-0x00007FF614330000-0x00007FF614681000-memory.dmp	upx
behavioral2/memory/3536-129-0x00007FF66BF90000-0x00007FF66C2E1000-memory.dmp	upx
behavioral2/memory/4648-147-0x00007FF6B65D0000-0x00007FF6B6921000-memory.dmp	upx
behavioral2/memory/2644-148-0x00007FF7E4DF0000-0x00007FF7E5141000-memory.dmp	upx
behavioral2/memory/4816-149-0x00007FF624880000-0x00007FF624BD1000-memory.dmp	upx
behavioral2/memory/4816-150-0x00007FF624880000-0x00007FF624BD1000-memory.dmp	upx
behavioral2/memory/2064-155-0x00007FF67AA70000-0x00007FF67ADC1000-memory.dmp	upx
behavioral2/memory/3536-206-0x00007FF66BF90000-0x00007FF66C2E1000-memory.dmp	upx
behavioral2/memory/2012-220-0x00007FF614330000-0x00007FF614681000-memory.dmp	upx
behavioral2/memory/2788-224-0x00007FF630830000-0x00007FF630B81000-memory.dmp	upx
behavioral2/memory/3764-223-0x00007FF61C570000-0x00007FF61C8C1000-memory.dmp	upx
behavioral2/memory/2284-235-0x00007FF6D5130000-0x00007FF6D5481000-memory.dmp	upx
behavioral2/memory/2340-232-0x00007FF7F7610000-0x00007FF7F7961000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ACVBbxp.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xwNEqOv.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SNlfEGR.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vFaBcuC.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HNkDXbe.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qDTNTLL.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RsgpZfo.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\omkumlQ.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\boXpjRN.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pwzqfDe.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UeNxRhq.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sjIgAyG.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uWOVjQi.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Kpwlsgs.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TRZmZHx.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\moUvThO.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RjnbSeK.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DikWZTX.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dyAfpNe.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\joRvhJV.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UEypJbN.exe	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 3536	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4816 wrote to memory of 3536	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4816 wrote to memory of 2012	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4816 wrote to memory of 2012	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4816 wrote to memory of 2788	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4816 wrote to memory of 2788	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4816 wrote to memory of 3764	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4816 wrote to memory of 3764	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4816 wrote to memory of 4712	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4816 wrote to memory of 4712	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4816 wrote to memory of 3524	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4816 wrote to memory of 3524	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4816 wrote to memory of 2352	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4816 wrote to memory of 2352	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4816 wrote to memory of 2340	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4816 wrote to memory of 2340	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4816 wrote to memory of 60	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4816 wrote to memory of 60	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4816 wrote to memory of 2284	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4816 wrote to memory of 2284	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4816 wrote to memory of 3000	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4816 wrote to memory of 3000	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4816 wrote to memory of 2648	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4816 wrote to memory of 2648	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4816 wrote to memory of 4576	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4816 wrote to memory of 4576	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4816 wrote to memory of 4516	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4816 wrote to memory of 4516	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4816 wrote to memory of 1796	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4816 wrote to memory of 1796	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4816 wrote to memory of 464	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4816 wrote to memory of 464	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4816 wrote to memory of 2172	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4816 wrote to memory of 2172	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4816 wrote to memory of 3860	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4816 wrote to memory of 3860	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4816 wrote to memory of 4648	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4816 wrote to memory of 4648	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4816 wrote to memory of 2644	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4816 wrote to memory of 2644	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4816 wrote to memory of 2064	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4816 wrote to memory of 2064	4816	2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_1d3dedb8b528883e64177d5e9ef0bc60_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\System\joRvhJV.exe
  C:\Windows\System\joRvhJV.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\UeNxRhq.exe
  C:\Windows\System\UeNxRhq.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\SNlfEGR.exe
  C:\Windows\System\SNlfEGR.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\sjIgAyG.exe
  C:\Windows\System\sjIgAyG.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System\moUvThO.exe
  C:\Windows\System\moUvThO.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System\uWOVjQi.exe
  C:\Windows\System\uWOVjQi.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System\vFaBcuC.exe
  C:\Windows\System\vFaBcuC.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\RjnbSeK.exe
  C:\Windows\System\RjnbSeK.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\Kpwlsgs.exe
  C:\Windows\System\Kpwlsgs.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\TRZmZHx.exe
  C:\Windows\System\TRZmZHx.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\DikWZTX.exe
  C:\Windows\System\DikWZTX.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\dyAfpNe.exe
  C:\Windows\System\dyAfpNe.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\HNkDXbe.exe
  C:\Windows\System\HNkDXbe.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\omkumlQ.exe
  C:\Windows\System\omkumlQ.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System\boXpjRN.exe
  C:\Windows\System\boXpjRN.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\qDTNTLL.exe
  C:\Windows\System\qDTNTLL.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\RsgpZfo.exe
  C:\Windows\System\RsgpZfo.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\UEypJbN.exe
  C:\Windows\System\UEypJbN.exe
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\System\pwzqfDe.exe
  C:\Windows\System\pwzqfDe.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System\ACVBbxp.exe
  C:\Windows\System\ACVBbxp.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\xwNEqOv.exe
  C:\Windows\System\xwNEqOv.exe
  2⤵
  - Executes dropped EXE
  PID:2064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ACVBbxp.exe

Filesize
5.2MB

MD5
e14a47d31912c9d331bb5f94544ea88e

SHA1
943410abcdd1f81f5b61675a13a37e8889821918

SHA256
8c0fe15e7686f6c06852a157afa3e449f0f59f43dd5535ffbbeefe38575ff1ad

SHA512
b756ae49d5198376d7465af2f13a70c0a60ca3476cad0f33f31e21fd5398d9e49bbb9014ad2ea4cea5a889b001d41a7e95258925772ec2b9ab04ea459201f740

Download Submit
C:\Windows\System\DikWZTX.exe

Filesize
5.2MB

MD5
5da75cfe415c65c2b10212c9178639ee

SHA1
e4a547d842dea1b8c932b9ad27d0fe7576eafbfc

SHA256
7c04d9e186de25b9a214a02e031d788f0448aa9e0b1bfa9ac597f0ca36b202d5

SHA512
771a0f118fe2ade5ebf7d1a2356dc4e9e67effa71ce6b4b87fea0038bd48be58afc52f6be2dac8f9f8718cf3369ab26a7048ea6a711c3e2b4750caf9691e18c4

Download Submit
C:\Windows\System\HNkDXbe.exe

Filesize
5.2MB

MD5
83f044b1532d864331447f4c5c940129

SHA1
e843d04bccbdb41eb017131b7ddcdbd3deb079ec

SHA256
196319fcc28fdcd24cafa64560649d60be2f66dad9ffd8e790a6945fcdba80c8

SHA512
0acffb765479ee12207ba84bc7cfa8722fe1de298987483cd6d29556225cb372047395204a8a0b3e8b4a61df1a1b6daa142cbd1b6fd7fc2eb160836acdca9222

Download Submit
C:\Windows\System\Kpwlsgs.exe

Filesize
5.2MB

MD5
fb078425fe27f941e6c13df7922e7103

SHA1
df5cfeb9f22026ce49a81492cb1a6d16ba4d11f5

SHA256
33496f6fd0caa1d909a01d38cb2c1493dbfbe3a0778595b915987f3a3b1f5574

SHA512
293320c9b02b6b5075f3cbc6a04e8727ec00007ab03ae4e0cd79e64afe35d90893f95cf55c9a02e923c2a130f42d8906285a39fd0406b3a7795e7bc33673e317

Download Submit
C:\Windows\System\RjnbSeK.exe

Filesize
5.2MB

MD5
b7f158f53eec4d4613c29325ce68857b

SHA1
ed13de28d8b1a650736c77e1c179a66754a50a29

SHA256
c6a43f45f151bdddc278a4409aeed0091c96417030960cdfa8a4ee9cceb4fc8e

SHA512
047f3051970b97e54875a50fa838491a803e413a291eeb1c51783c5ba5dafe3ab04a50347e4db73acab748d8e0597c94309ccaecbfbf23ad103abc27edae1219

Download Submit
C:\Windows\System\RsgpZfo.exe

Filesize
5.2MB

MD5
c1a085536fb8e6576c8720ba72269a0c

SHA1
87dc28fce4bfd60f4fe7de6f25d8a2fc891788c3

SHA256
596346db6d5d4538d369c36292f17a1879d94b9b7b1bf15706d8ad3dc252253b

SHA512
c506cf3bb1b17a993434ab83ce8efe909903bfa2e15583526c8c193cfc752e54f0cde136abb11ccd8dd4f407ac947c26989bef0f2ae595cb84701cbaa078da23

Download Submit
C:\Windows\System\SNlfEGR.exe

Filesize
5.2MB

MD5
539e3813ee89acd7cc547a31073160c8

SHA1
ce12f2fb848776121faac6eba14d2829bd6f99c5

SHA256
651b314dfd6deae10c63adf31c93a0fe95e502e2616cfc8faa39bf07b8318cd6

SHA512
4f25058be6f90ffe09a491e8a031c36f7998ee90f30be846d579dfb8a46ae8c2a354cefa58577dccda57422ff1f2cde33e858a591d74fba0067758e0fd86042a

Download Submit
C:\Windows\System\TRZmZHx.exe

Filesize
5.2MB

MD5
33210b8394921508189e1f4e57b0a8e3

SHA1
ea5c78605299a103ea946d47ab3df80383801fb1

SHA256
3e9e74b88c49ee6733692658224460e8cf636b86c5a354695aa84c364f030bcf

SHA512
a1a0d370d3691a3e3ff0f853df9e418a80519d606fee8a50f543b727564b7e799ab674009c38321475463615aa9cd11c5751cd4866dd281d1b95f43427fced14

Download Submit
C:\Windows\System\UEypJbN.exe

Filesize
5.2MB

MD5
01f667c2480f380216e1a26afdee5366

SHA1
348ee42ae0af6995db1f269f3d9f86b1047a208f

SHA256
1af1f771f589c7f46070b61dd3e4ffb437ec2855d49ad5f8ba5fb3abd7d8618b

SHA512
ea0b73a8316416e3d7ec4b241dd5314b39b72aa77d05c0d7d4c48031fac69f825964b549db8c5530dbf943de46a247881c3044f8473e1706726cce68f99c2a68

Download Submit
C:\Windows\System\UeNxRhq.exe

Filesize
5.2MB

MD5
bc08e2def3a2e77bfe98b3b9a00c8431

SHA1
301b0f7463a8a33da3a6620cf90580d865c293a7

SHA256
0b2be1a1f98932f89937dcda7c112e00b61871b34eea9e1776f0f05cda953d24

SHA512
f2ae8b1e81088a34586565cf7ec2b8f33ab3d143faf12c6f238a225471acc01b66000a14b2a98a1f9721912cb21f48253f69bf3c532bda1137975c0d096b4aca

Download Submit
C:\Windows\System\boXpjRN.exe

Filesize
5.2MB

MD5
5b3d3f4021e63cdeeec93936de4bfb0a

SHA1
eaa0c0936066f2d2fb8a83d2e644ace74621f8ad

SHA256
bb8a0e99cddf7618e6ab98fad30a4c24c421b8fd46cf75508a8bc4b307493957

SHA512
6127033ca1e731ee36b928042ec89027115412a108a9a0b1a7631c7bf6d15e625df5291973c8379fbb54f807b7409807655c05d57f152c359390082488b2b563

Download Submit
C:\Windows\System\dyAfpNe.exe

Filesize
5.2MB

MD5
3a4f06ca9c81b4f2bfd3a37e4ed15b0b

SHA1
1ead45242f88608752acc67e8e38b9d0fc30c105

SHA256
09efb0f02afba5d2378e2a6e93eda305821e172220568a859c7a101754860662

SHA512
c6253ee795f1ef77057415d3b1f1f1917705fbaedf759499deb5c74291cc7a7875b2935741b620c92a81c844655ad1925bc8cf9dca452eafba5af575d3faf1a1

Download Submit
C:\Windows\System\joRvhJV.exe

Filesize
5.2MB

MD5
9b655493f01b878c4e4d751d3198a63c

SHA1
3f370562fa9268f3649bb8bcaf705a9050cdbcbc

SHA256
d705ae68b9f7f95d8c3e61eac17347ae728156844396eefa2b03051da7383af8

SHA512
968ccc991e48a723c82fe71eafd8164347aa04aaf6c62543176a38f33cee28e2caaf0b6a7fa77f42f23078d47928f920f64f3c945bf25ab01f83f52e74ce2253

Download Submit
C:\Windows\System\moUvThO.exe

Filesize
5.2MB

MD5
d4ce3ddb300714fe71ab5ee1f7f7531c

SHA1
90128e7a4fdcfabc9c557e19abeed8c8cde5d78d

SHA256
52ee1ce5da4626bf024fa85a64b4373838c8446ab41e7130b0670dea5af680ed

SHA512
7768e64547d35a9820caea2e8fa3c4eab6cf3753729a1e8dd83a51778add5fc8285552b26e0ecab573f3b334c783e0ef320ab47172c85aecb12c4c587e986e0c

Download Submit
C:\Windows\System\omkumlQ.exe

Filesize
5.2MB

MD5
049ccbd9b19ba10ee6f1d888493c761c

SHA1
6365a84929ff5b06074e850e61904eb319eef9bb

SHA256
a9b2dc857ecb47a6ea2eb0924e6d0a2fddb61b724796b86cdf91bb1766f05123

SHA512
b1b94456db105de63592ba56b2564010a0acd7287b197be6e1105129c072a85b4588f88d0f44b0e8367011b418c2ed8c0da22b1ace0e21b513936155ae1c7880

Download Submit
C:\Windows\System\pwzqfDe.exe

Filesize
5.2MB

MD5
63712832f2e6bfe2a7a64bf05c2d94b1

SHA1
df3ddbd3e7f29fedb5a4921008e21075e90daa25

SHA256
d2fe8a5c09c85269598c646f2cfd0020e1b45be1fe001d478453d0b56c73d3e1

SHA512
3b3f4e687f6c070f10cf408ce06b1cd8a487bcdba0cb87dda672ac14e12188ea8ec83fba219a876e6c138863705eb8cdcb26a149ca1dcc53d9d9a1e6018677ae

Download Submit
C:\Windows\System\qDTNTLL.exe

Filesize
5.2MB

MD5
67df955e4d6e1246cb86caf32d5053eb

SHA1
8dfef5db316e786114a1c11885a4f22b81b5512d

SHA256
c5187af16a54f9e192fe6deb390ff02a9ffec17437dcd77ecef95aac250e9e38

SHA512
f4cdd4c05bec13db7382fa986272e01e644478fc1e28b2727e26f5c3a9a8ff34f77fec12bb1dbae7c0fc73fabe9f3b90724941887c23016c3ef500ad01ab741e

Download Submit
C:\Windows\System\sjIgAyG.exe

Filesize
5.2MB

MD5
41a1fe58262908c5c011b485cfe5ebd5

SHA1
c82e71c5581ff410f2e42b6f1a2f378e004be62a

SHA256
f2121c8970cedca6da3846ba80287b8e8026d0727125eac53e017e19916715aa

SHA512
543abbad47f65b1d1404b3ac292daa08182d33e77e4ae1fba142416d4f0bdb946eb93c31ab15643d4408f7fd64bfcc1e6c8528e3106c11f9014e74fd65ac9e00

Download Submit
C:\Windows\System\uWOVjQi.exe

Filesize
5.2MB

MD5
aafae9178dcc1d5b560b3c9400bb76d1

SHA1
29637141bc8db5e9b89edb6a78c44437bb5a8443

SHA256
c352cb84981a433f2b24b1307dbda52597082b1d94ed2c8d953a1a4a3d9633ea

SHA512
96657231e03dc67d77dda3f2e9eaf6180b62c17b909b9dd2e314b367e98795420367910c20aa04b1e301d8f741998bc7b43ca518ba05021772fd04be0ff77cac

Download Submit
C:\Windows\System\vFaBcuC.exe

Filesize
5.2MB

MD5
c2cb4baee12210d97d4eb0d4d75a2328

SHA1
5c6f136cacba8748ecc9f63db1224deaec438c8a

SHA256
5b81a918d7e64e29333733fdd6a4a058ae0b379aef1eaab830f14ecb5d1e338a

SHA512
3ac0ca0b8e729fd99aeb975f8f0afae10fb405903ad6f558de475ff9aaf47e4316282ba74ab6a00b037e1bd0bad62c2af95a08b05b11ddd7a66a4c1a5d6dbf40

Download Submit
C:\Windows\System\xwNEqOv.exe

Filesize
5.2MB

MD5
15f486a0b521a606a815cf42ab80c987

SHA1
eb5519bacc40455b49ec2e5b338cf093319dd07b

SHA256
3ab6d86b451a71a6e361df89463b054104f66402b0576a8e185425ed0b1105ba

SHA512
1d20479c903cc044e6b96c9611f537b149ba66de98e7aa37fbd1708c36bb2c051f52cd6a90b0242e47f82c8b2bcc681e7758ea49ab4be5ffef24f025fbe2c2d1

Download Submit
memory/60-137-0x00007FF6A0A50000-0x00007FF6A0DA1000-memory.dmp

Filesize
3.3MB

Download
memory/60-249-0x00007FF6A0A50000-0x00007FF6A0DA1000-memory.dmp

Filesize
3.3MB

Download
memory/60-75-0x00007FF6A0A50000-0x00007FF6A0DA1000-memory.dmp

Filesize
3.3MB

Download
memory/464-144-0x00007FF7DB0E0000-0x00007FF7DB431000-memory.dmp

Filesize
3.3MB

Download
memory/464-97-0x00007FF7DB0E0000-0x00007FF7DB431000-memory.dmp

Filesize
3.3MB

Download
memory/464-239-0x00007FF7DB0E0000-0x00007FF7DB431000-memory.dmp

Filesize
3.3MB

Download
memory/1796-143-0x00007FF6C3F70000-0x00007FF6C42C1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-92-0x00007FF6C3F70000-0x00007FF6C42C1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-246-0x00007FF6C3F70000-0x00007FF6C42C1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-23-0x00007FF614330000-0x00007FF614681000-memory.dmp

Filesize
3.3MB

Download
memory/2012-220-0x00007FF614330000-0x00007FF614681000-memory.dmp

Filesize
3.3MB

Download
memory/2012-130-0x00007FF614330000-0x00007FF614681000-memory.dmp

Filesize
3.3MB

Download
memory/2064-127-0x00007FF67AA70000-0x00007FF67ADC1000-memory.dmp

Filesize
3.3MB

Download
memory/2064-260-0x00007FF67AA70000-0x00007FF67ADC1000-memory.dmp

Filesize
3.3MB

Download
memory/2064-155-0x00007FF67AA70000-0x00007FF67ADC1000-memory.dmp

Filesize
3.3MB

Download
memory/2172-115-0x00007FF721C20000-0x00007FF721F71000-memory.dmp

Filesize
3.3MB

Download
memory/2172-240-0x00007FF721C20000-0x00007FF721F71000-memory.dmp

Filesize
3.3MB

Download
memory/2284-235-0x00007FF6D5130000-0x00007FF6D5481000-memory.dmp

Filesize
3.3MB

Download
memory/2284-108-0x00007FF6D5130000-0x00007FF6D5481000-memory.dmp

Filesize
3.3MB

Download
memory/2340-232-0x00007FF7F7610000-0x00007FF7F7961000-memory.dmp

Filesize
3.3MB

Download
memory/2340-66-0x00007FF7F7610000-0x00007FF7F7961000-memory.dmp

Filesize
3.3MB

Download
memory/2352-229-0x00007FF62D050000-0x00007FF62D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2352-135-0x00007FF62D050000-0x00007FF62D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2352-58-0x00007FF62D050000-0x00007FF62D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-148-0x00007FF7E4DF0000-0x00007FF7E5141000-memory.dmp

Filesize
3.3MB

Download
memory/2644-119-0x00007FF7E4DF0000-0x00007FF7E5141000-memory.dmp

Filesize
3.3MB

Download
memory/2644-256-0x00007FF7E4DF0000-0x00007FF7E5141000-memory.dmp

Filesize
3.3MB

Download
memory/2648-87-0x00007FF787BD0000-0x00007FF787F21000-memory.dmp

Filesize
3.3MB

Download
memory/2648-140-0x00007FF787BD0000-0x00007FF787F21000-memory.dmp

Filesize
3.3MB

Download
memory/2648-250-0x00007FF787BD0000-0x00007FF787F21000-memory.dmp

Filesize
3.3MB

Download
memory/2788-131-0x00007FF630830000-0x00007FF630B81000-memory.dmp

Filesize
3.3MB

Download
memory/2788-43-0x00007FF630830000-0x00007FF630B81000-memory.dmp

Filesize
3.3MB

Download
memory/2788-224-0x00007FF630830000-0x00007FF630B81000-memory.dmp

Filesize
3.3MB

Download
memory/3000-113-0x00007FF71A900000-0x00007FF71AC51000-memory.dmp

Filesize
3.3MB

Download
memory/3000-236-0x00007FF71A900000-0x00007FF71AC51000-memory.dmp

Filesize
3.3MB

Download
memory/3524-65-0x00007FF655680000-0x00007FF6559D1000-memory.dmp

Filesize
3.3MB

Download
memory/3524-227-0x00007FF655680000-0x00007FF6559D1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-206-0x00007FF66BF90000-0x00007FF66C2E1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-11-0x00007FF66BF90000-0x00007FF66C2E1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-129-0x00007FF66BF90000-0x00007FF66C2E1000-memory.dmp

Filesize
3.3MB

Download
memory/3764-132-0x00007FF61C570000-0x00007FF61C8C1000-memory.dmp

Filesize
3.3MB

Download
memory/3764-223-0x00007FF61C570000-0x00007FF61C8C1000-memory.dmp

Filesize
3.3MB

Download
memory/3764-25-0x00007FF61C570000-0x00007FF61C8C1000-memory.dmp

Filesize
3.3MB

Download
memory/3860-116-0x00007FF623EB0000-0x00007FF624201000-memory.dmp

Filesize
3.3MB

Download
memory/3860-252-0x00007FF623EB0000-0x00007FF624201000-memory.dmp

Filesize
3.3MB

Download
memory/4516-243-0x00007FF680130000-0x00007FF680481000-memory.dmp

Filesize
3.3MB

Download
memory/4516-114-0x00007FF680130000-0x00007FF680481000-memory.dmp

Filesize
3.3MB

Download
memory/4576-91-0x00007FF704970000-0x00007FF704CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4576-244-0x00007FF704970000-0x00007FF704CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4648-120-0x00007FF6B65D0000-0x00007FF6B6921000-memory.dmp

Filesize
3.3MB

Download
memory/4648-254-0x00007FF6B65D0000-0x00007FF6B6921000-memory.dmp

Filesize
3.3MB

Download
memory/4648-147-0x00007FF6B65D0000-0x00007FF6B6921000-memory.dmp

Filesize
3.3MB

Download
memory/4712-107-0x00007FF6CEED0000-0x00007FF6CF221000-memory.dmp

Filesize
3.3MB

Download
memory/4712-231-0x00007FF6CEED0000-0x00007FF6CF221000-memory.dmp

Filesize
3.3MB

Download
memory/4816-0-0x00007FF624880000-0x00007FF624BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4816-125-0x00007FF624880000-0x00007FF624BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4816-150-0x00007FF624880000-0x00007FF624BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4816-149-0x00007FF624880000-0x00007FF624BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4816-1-0x000001D2AE840000-0x000001D2AE850000-memory.dmp

Filesize
64KB

Download